diff --git a/inc/config.php b/inc/config.php index b936da29..4d1b6d78 100644 --- a/inc/config.php +++ b/inc/config.php @@ -10,10 +10,16 @@ */ // Database stuff - define('MY_SERVER', 'localhost', true); - define('MY_USER', '', true); - define('MY_PASSWORD', '', true); - define('MY_DATABASE', '', true); + + // "mysql", "mysqli", "pgsql", "mssql" + define('DB_TYPE', 'mysql', true); + // Hostname or IP address + define('DB_SERVER', 'localhost', true); + // Login + define('DB_USER', '', true); + define('DB_PASSWORD', '', true); + // TinyBoard database + define('DB_DATABASE', '', true); // The name of the session cookie (PHP's $_SESSION) define('SESS_COOKIE', 'imgboard', true); diff --git a/inc/database.php b/inc/database.php new file mode 100644 index 00000000..0d93c3c7 --- /dev/null +++ b/inc/database.php @@ -0,0 +1,39 @@ +prepare($query); + } + + function query($query) { + global $pdo; + return $pdo->query($query); + } + + function db_error($PDOStatement=null) { + global $pdo; + if(isset($PDOStatement)) { + $err = $PDOStatement->errorInfo(); + return $err[2]; + } else { + $err = $pdo->errorInfo(); + return $err[2]; + } + } +?> \ No newline at end of file diff --git a/inc/functions.php b/inc/functions.php index fd87de43..aadc8525 100644 --- a/inc/functions.php +++ b/inc/functions.php @@ -7,22 +7,6 @@ return str_replace(array_keys($replaces), array_values($replaces), $str); } - - function sql_open() { - global $sql; - $sql = @mysql_connect(MY_SERVER, MY_USER, MY_PASSWORD) or error('Database error.'); - @mysql_select_db(MY_DATABASE, $sql) or error('Database error.'); - } - function sql_close() { - global $sql; - @mysql_close($sql); - } - - function mysql_safe_array(&$array) { - foreach($array as &$item) { - $item = mysql_real_escape_string($item); - } - } function setupBoard($array) { global $board; @@ -45,94 +29,91 @@ function openBoard($uri) { global $sql; sql_open(); - $boards_res = mysql_query(sprintf( - "SELECT * FROM `boards` WHERE `uri` = '%s' LIMIT 1", - mysql_real_escape_string($uri) - ), $sql) or error(mysql_error($sql)); - if($_board = mysql_fetch_array($boards_res)) { - setupBoard($_board); + $query = prepare("SELECT * FROM `boards` WHERE `uri` = :uri LIMIT 1"); + $query->bindValue(':uri', $uri); + $query->execute() or error(db_error($query)); + + if($board = $query->fetch()) { + setupBoard($board); return true; } else return false; } function listBoards() { - global $sql; - sql_open(); - $boards_res = mysql_query("SELECT * FROM `boards`", $sql) or error(mysql_error($sql)); - - $boards = Array(); - while($_board = mysql_fetch_array($boards_res)) { - $boards[] = $_board; - } + $query = query("SELECT * FROM `boards`") or error(db_error()); + $boards = $query->fetchAll(); return $boards; } function threadExists($id) { - global $sql, $board; - $thread_res = mysql_query(sprintf( - "SELECT 1 FROM `posts_%s` WHERE `id` = '%d' AND `thread` IS NULL LIMIT 1", - mysql_real_escape_string($board['uri']), - $id - ), $sql) or error(mysql_error($sql)); + global $board; - if(mysql_num_rows($thread_res) > 0) { + $query = prepare(sprintf("SELECT 1 FROM `posts_%s` WHERE `id` = :id AND `thread` IS NULL LIMIT 1", $board['uri'])); + $query->bindParam(':id', $id, PDO::PARAM_INT); + $query->execute() or error(db_error()); + + if($query->rowCount()) { return true; } else return false; } function post($post, $OP) { - global $sql, $board; + global $pdo, $board; + + $query = prepare(sprintf("INSERT INTO `posts_%s` VALUES ( NULL, :thread, :subject, :email, :name, :trip, :body, :time, :time, :thumb, :thumbwidth, :thumbheight, :file, :width, :height, :filesize, :filename, :filehash, :password, :ip, :sticky)", $board['uri'])); + + // Basic stuff + $query->bindValue(':subject', $post['subject']); + $query->bindValue(':email', $post['email']); + $query->bindValue(':name', $post['name']); + $query->bindValue(':trip', $post['trip']); + $query->bindValue(':body', $post['body']); + $query->bindValue(':time', time(), PDO::PARAM_INT); + $query->bindValue(':password', $post['password']); + $query->bindValue(':ip', $_SERVER['REMOTE_ADDR']); + $query->bindValue(':sticky', 0, PDO::PARAM_INT); + if($OP) { - mysql_query( - sprintf("INSERT INTO `posts_%s` VALUES ( NULL, NULL, '%s', '%s', '%s', '%s', '%s', '%d', '%d', '%s', '%d', '%d', '%s', '%d', '%d', '%d', '%s', '%s', '%s', '%s', '0')", - mysql_real_escape_string($board['uri']), - $post['subject'], - $post['email'], - $post['name'], - $post['trip'], - $post['body'], - time(), - time(), - $post['thumb'], - $post['thumbwidth'], - $post['thumbheight'], - $post['file'], - $post['width'], - $post['height'], - $post['filesize'], - $post['filename'], - $post['filehash'], - $post['password'], - mysql_real_escape_string($_SERVER['REMOTE_ADDR']) - ), $sql) or error(mysql_error($sql)); - return mysql_insert_id($sql); + // No parent thread, image + $query->bindValue(':thread', null, PDO::PARAM_NULL); } else { - mysql_query( - sprintf("INSERT INTO `posts_%s` VALUES ( NULL, '%d', '%s', '%s', '%s', '%s', '%s', '%d', '%d', '%s', '%d', '%d', '%s', '%d', '%d', '%d', '%s', '%s', '%s', '%s', '0')", - mysql_real_escape_string($board['uri']), - $post['thread'], - $post['subject'], - $post['email'], - $post['name'], - $post['trip'], - $post['body'], - time(), - time(), - $post['has_file']?$post['thumb']:null, - $post['has_file']?$post['thumbwidth']:null, - $post['has_file']?$post['thumbheight']:null, - $post['has_file']?$post['file']:null, - $post['has_file']?$post['width']:null, - $post['has_file']?$post['height']:null, - $post['has_file']?$post['filesize']:null, - $post['has_file']?$post['filename']:null, - $post['has_file']?$post['filehash']:null, - $post['password'], - mysql_real_escape_string($_SERVER['REMOTE_ADDR']) - ), $sql) or error(mysql_error($sql)); - return mysql_insert_id($sql); + $query->bindValue(':thread', $post['thread'], PDO::PARAM_INT); } + + if($post['has_file']) { + $query->bindValue(':thumb', $post['thumb']); + $query->bindValue(':thumbwidth', $post['thumbwidth'], PDO::PARAM_INT); + $query->bindValue(':thumbheight', $post['thumbheight'], PDO::PARAM_INT); + $query->bindValue(':file', $post['file']); + $query->bindValue(':width', $post['width'], PDO::PARAM_INT); + $query->bindValue(':height', $post['height'], PDO::PARAM_INT); + $query->bindValue(':filesize', $post['filesize'], PDO::PARAM_INT); + $query->bindValue(':filename', $post['filesize']); + $query->bindValue(':filehash', $post['filesize']); + } else { + $query->bindValue(':thumb', null, PDO::PARAM_NULL); + $query->bindValue(':thumbwidth', null, PDO::PARAM_NULL); + $query->bindValue(':thumbheight', null, PDO::PARAM_NULL); + $query->bindValue(':file', null, PDO::PARAM_NULL); + $query->bindValue(':width', null, PDO::PARAM_NULL); + $query->bindValue(':height', null, PDO::PARAM_NULL); + $query->bindValue(':filesize', null, PDO::PARAM_NULL); + $query->bindValue(':filename', null, PDO::PARAM_NULL); + $query->bindValue(':filehash', null, PDO::PARAM_NULL); + } + + $query->execute() or error(db_error($query)); + + return $pdo->lastInsertId(); + } + + function bumpThread($id) { + global $board; + $query = prepare(sprintf("UPDATE `posts_%s` SET `bump` = :time WHERE `id` = :id AND `thread` IS NULL", $board['uri'])); + $query->bindValue(':time', time(), PDO::PARAM_INT); + $query->bindValue(':id', $id, PDO::PARAM_INT); + $query->execute() or error(db_error($query)); } function index($page, $mod=false) { @@ -142,57 +123,52 @@ $offset = round($page*THREADS_PER_PAGE-THREADS_PER_PAGE); sql_open(); - $query = mysql_query(sprintf( - "SELECT * FROM `posts_%s` WHERE `thread` IS NULL ORDER BY `sticky` DESC, `bump` DESC LIMIT %d,%d", - mysql_real_escape_string($board['uri']), - $offset, - THREADS_PER_PAGE - ), $sql) or error(mysql_error($sql)); - - if(mysql_num_rows($query) < 1 && $page > 1) return false; - while($th = mysql_fetch_array($query)) { + + $query = prepare(sprintf("SELECT * FROM `posts_%s` WHERE `thread` IS NULL ORDER BY `sticky` DESC, `bump` DESC LIMIT ?,?", $board['uri'])); + $query->bindValue(1, $offset, PDO::PARAM_INT); + $query->bindValue(2, THREADS_PER_PAGE, PDO::PARAM_INT); + $query->execute() or error(db_error($query)); + + if($query->rowcount() < 1 && $page > 1) return false; + while($th = $query->fetch()) { $thread = new Thread($th['id'], $th['subject'], $th['email'], $th['name'], $th['trip'], $th['body'], $th['time'], $th['thumb'], $th['thumbwidth'], $th['thumbheight'], $th['file'], $th['filewidth'], $th['fileheight'], $th['filesize'], $th['filename'], $th['ip'], $th['sticky'], $mod ? '?/' : ROOT); - $newposts = mysql_query(sprintf( - "SELECT `id`, `subject`, `email`, `name`, `trip`, `body`, `time`, `thumb`, `thumbwidth`, `thumbheight`, `file`, `filewidth`, `fileheight`, `filesize`, `filename`,`ip` FROM `posts_%s` WHERE `thread` = '%s' ORDER BY `time` DESC LIMIT %d", - mysql_real_escape_string($board['uri']), - $th['id'], - THREADS_PREVIEW - ), $sql) or error(mysql_error($sql)); - if(mysql_num_rows($newposts) == THREADS_PREVIEW) { - $count_query = mysql_query(sprintf( - "SELECT COUNT(`id`) as `num` FROM `posts_%s` WHERE `thread` = '%s'", - mysql_real_escape_string($board['uri']), - $th['id'] - ), $sql) or error(mysql_error($sql)); - $count = mysql_fetch_array($count_query); + $posts = prepare(sprintf("SELECT `id`, `subject`, `email`, `name`, `trip`, `body`, `time`, `thumb`, `thumbwidth`, `thumbheight`, `file`, `filewidth`, `fileheight`, `filesize`, `filename`,`ip` FROM `posts_%s` WHERE `thread` = ? ORDER BY `time` DESC LIMIT ?", $board['uri'])); + $posts->bindValue(1, $th['id']); + $posts->bindValue(2, THREADS_PREVIEW, PDO::PARAM_INT); + $posts->execute() or error(db_error($posts)); + + if($posts->rowCount() == THREADS_PREVIEW) { + $count = prepare(sprintf("SELECT COUNT(`id`) as `num` FROM `posts_%s` WHERE `thread` = ?", $board['uri'])); + $count->bindValue(1, $th['id']); + $count->execute() or error(db_error($count)); + + $count = $count->fetch(); $omitted = $count['num'] - THREADS_PREVIEW; $thread->omitted = $omitted; - mysql_free_result($count_query); unset($count); unset($omitted); } - while($po = mysql_fetch_array($newposts)) { + + while($po = $posts->fetch()) { $thread->add(new Post($po['id'], $th['id'], $po['subject'], $po['email'], $po['name'], $po['trip'], $po['body'], $po['time'], $po['thumb'], $po['thumbwidth'], $po['thumbheight'], $po['file'], $po['filewidth'], $po['fileheight'], $po['filesize'], $po['filename'], $po['ip'], $mod ? '?/' : ROOT)); } - mysql_free_result($newposts); $thread->posts = array_reverse($thread->posts); $body .= $thread->build(true); } - mysql_free_result($query); + return Array('button'=>BUTTON_NEWTOPIC, 'board'=>$board, 'body'=>$body, 'post_url' => POST_URL, 'index' => ROOT); } function getPages($mod=false) { global $sql, $board; - $res = mysql_query(sprintf( - "SELECT COUNT(`id`) as `num` FROM `posts_%s` WHERE `thread` IS NULL", - mysql_real_escape_string($board['uri']) - ), $sql) or error(mysql_error($sql)); - $arr = mysql_fetch_array($res); - $count = floor((THREADS_PER_PAGE + $arr['num'] - 1) / THREADS_PER_PAGE); + // Count threads + $query = query(sprintf("SELECT COUNT(`id`) as `num` FROM `posts_%s` WHERE `thread` IS NULL", $board['uri'])) or error(db_error()); + + $count = current($query->fetch()); + $count = floor((THREADS_PER_PAGE + $count - 1) / THREADS_PER_PAGE); $pages = Array(); for($x=0;$x<$count && $xbindValue(':id', $cite); + $query->execute() or error(db_error($query)); + + if($post = $query->fetch()) { $replacement = '>>' . $cite . ''; } else { $replacement = ">>{$cite}"; } - mysql_free_result($result); // Find the position of the cite $position = strpos($body, $cites[0][$index]); @@ -337,39 +310,39 @@ } function buildThread($id, $return=false, $mod=false) { - global $sql, $board; + global $board; $id = round($id); - $query = mysql_query(sprintf( - "SELECT `id`,`thread`,`subject`,`name`,`email`,`trip`,`body`,`time`,`thumb`,`thumbwidth`,`thumbheight`,`file`,`filewidth`,`fileheight`,`filesize`,`filename`,`ip`,`sticky` FROM `posts_%s` WHERE (`thread` IS NULL AND `id` = '%d') OR `thread` = '%d' ORDER BY `thread`,`time`", - mysql_real_escape_string($board['uri']), - $id, - $id - ), $sql) or error(mysql_error($sql)); - - while($post = mysql_fetch_array($query)) { + $query = prepare(sprintf("SELECT `id`,`thread`,`subject`,`name`,`email`,`trip`,`body`,`time`,`thumb`,`thumbwidth`,`thumbheight`,`file`,`filewidth`,`fileheight`,`filesize`,`filename`,`ip`,`sticky` FROM `posts_%s` WHERE (`thread` IS NULL AND `id` = :id) OR `thread` = :id ORDER BY `thread`,`time`", $board['uri'])); + $query->bindValue(':id', $id, PDO::PARAM_INT); + $query->execute() or error(db_error($query)); + + while($post = $query->fetch()) { if(!isset($thread)) { $thread = new Thread($post['id'], $post['subject'], $post['email'], $post['name'], $post['trip'], $post['body'], $post['time'], $post['thumb'], $post['thumbwidth'], $post['thumbheight'], $post['file'], $post['filewidth'], $post['fileheight'], $post['filesize'], $post['filename'], $post['ip'], $post['sticky'], $mod ? '?/' : ROOT); } else { $thread->add(new Post($post['id'], $thread->id, $post['subject'], $post['email'], $post['name'], $post['trip'], $post['body'], $post['time'], $post['thumb'], $post['thumbwidth'], $post['thumbheight'], $post['file'], $post['filewidth'], $post['fileheight'], $post['filesize'], $post['filename'], $post['ip'], $mod ? '?/' : ROOT)); } } - $body = Element('thread.html', Array( - 'button'=>BUTTON_REPLY, - 'board'=>$board, - 'body'=>$thread->build(), - 'post_url' => POST_URL, - 'index' => ROOT, - 'id' => $id, - 'mod' => $mod, - 'return' => ($mod ? '?' . $board['url'] . FILE_INDEX : ROOT . $board['uri'] . '/' . FILE_INDEX) - )); + + // Check if any posts were found + if(!isset($thread)) error(ERROR_NONEXISTANT); + + $body = Element('thread.html', Array( + 'button'=>BUTTON_REPLY, + 'board'=>$board, + 'body'=>$thread->build(), + 'post_url' => POST_URL, + 'index' => ROOT, + 'id' => $id, + 'mod' => $mod, + 'return' => ($mod ? '?' . $board['url'] . FILE_INDEX : ROOT . $board['uri'] . '/' . FILE_INDEX) + )); if($return) return $body; else @file_put_contents($board['dir'] . DIR_RES . sprintf(FILE_PAGE, $id), $body) or error("Couldn't write to file."); - mysql_free_result($query); } function generate_tripcode ( $name, $length = 10 ) { diff --git a/inc/instance-config.php b/inc/instance-config.php index 408e9b85..88178f2c 100644 --- a/inc/instance-config.php +++ b/inc/instance-config.php @@ -7,17 +7,18 @@ * * You can copy values from config.php (defaults) and paste them here. */ - - - /* + + + // Database stuff - define('MY_SERVER', '127.0.0.1'); - define('MY_USER', ''); - define('MY_PASSWORD', ''); - define('MY_DATABASE', ''); - + define('DB_TYPE', 'mysql'); + define('DB_SERVER', 'localhost'); + define('DB_USER', ''); + define('DB_PASSWORD', ''); + define('DB_DATABASE', ''); + define('ROOT', '/'); - + // define('FOO', 'bar'); - */ + ?> \ No newline at end of file diff --git a/inc/mod.php b/inc/mod.php index b5e773f5..65675dff 100644 --- a/inc/mod.php +++ b/inc/mod.php @@ -17,13 +17,12 @@ $password = sha1($password); } - $res = mysql_query(sprintf( - "SELECT `id`,`type` FROM `mods` WHERE `username` = '%s' AND `password` = '%s' LIMIT 1", - mysql_real_escape_string($username), - $password - ), $sql) or error(mysql_error($sql)); + $query = prepare("SELECT `id`,`type` FROM `mods` WHERE `username` = :username AND `password` = :password LIMIT 1"); + $query->bindValue(':username', $username); + $query->bindValue(':password', $password); + $query->execute(); - if($user = mysql_fetch_array($res)) { + if($user = $query->fetch()) { return $mod = Array( 'id' => $user['id'], 'type' => $user['type'], @@ -142,22 +141,19 @@ // Delete a post (reply or thread) function deletePost($id) { - global $board, $sql; + global $board; // Select post and replies (if thread) in one query - $post_res = mysql_query(sprintf( - "SELECT `id`,`thread`,`thumb`,`file` FROM `posts_%s` WHERE `id` = '%d' OR `thread` = '%d'", - mysql_real_escape_string($board['uri']), - $id, - $id - ), $sql) or error(mysql_error($sql)); - - if(mysql_num_rows($post_res) < 1) { + $query = prepare(sprintf("SELECT `id`,`thread`,`thumb`,`file` FROM `posts_%s` WHERE `id` = :id OR `thread` = :id", $board['uri'])); + $query->bindValue(':id', $id, PDO::PARAM_INT); + $query->execute() or error(db_error($query)); + + if($query->rowCount() < 1) { error(ERROR_INVALIDPOST); } // Delete posts and maybe replies - while($post = mysql_fetch_array($post_res)) { + while($post = $query->fetch()) { if(!$post['thread']) { // Delete thread HTML page @unlink($board['dir'] . DIR_RES . sprintf(FILE_PAGE, $post['id'])); @@ -172,11 +168,8 @@ } } - mysql_query(sprintf( - "DELETE FROM `posts_%s` WHERE `id` = '%d' OR `thread` = '%d'", - mysql_real_escape_string($board['uri']), - $id, - $id - ), $sql) or error(mysql_error($sql)); + $query = prepare(sprintf("DELETE FROM `posts_%s` WHERE `id` = :id OR `thread` = :id", $board['uri'])); + $query->bindValue(':id', $id, PDO::PARAM_INT); + $query->execute() or error(db_error($query)); } ?> \ No newline at end of file diff --git a/mod.php b/mod.php index fec65c02..0fdc0f5a 100644 --- a/mod.php +++ b/mod.php @@ -6,6 +6,7 @@ } require 'inc/config.php'; require 'inc/template.php'; + require 'inc/database.php'; require 'inc/user.php'; require 'inc/mod.php'; @@ -175,20 +176,21 @@ if(!preg_match('/^\w+$/', $b['uri'])) error(sprintf(ERROR_INVALIDFIELD, 'URI')); - mysql_query(sprintf( - "INSERT INTO `boards` VALUES (NULL, '%s', '%s', " . - (empty($b['subtitle']) ? 'NULL' : "'%s'" ) . - ")", - mysql_real_escape_string($b['uri']), - mysql_real_escape_string($b['title']), - mysql_real_escape_string($b['subtitle']) - ), $sql) or error(mysql_error($sql)); + $query = prepare("INSERT INTO `boards` VALUES (NULL, :uri, :title, :subtitle)"); + $query->bindValue(':uri', $b['uri']); + $query->bindValue(':title', $b['title']); + if(!empty($b['subtitle'])) { + $query->bindValue(':subtitle', $b['subtitle']); + } else { + $query->bindValue(':subtitle', null, PDO::PARAM_NULL); + } + $query->execute() or error(db_error($query)); // Open the board openBoard($b['uri']) or error("Couldn't open board after creation."); // Create the posts table - mysql_query(Element('posts.sql', Array('board' => $board['uri'])), $sql) or error(mysql_error($sql)); + query(Element('posts.sql', Array('board' => $board['uri']))) or error(db_error()); // Build the board buildIndex(); diff --git a/post.php b/post.php index 0b0e0a64..fccf3f16 100644 --- a/post.php +++ b/post.php @@ -6,6 +6,7 @@ } require 'inc/config.php'; require 'inc/template.php'; + require 'inc/database.php'; require 'inc/user.php'; // Fix for magic quotes @@ -191,9 +192,6 @@ // Todo: Validate some more, remove messy code, allow more specific configuration - // MySQLify - mysql_safe_array($post); - $id = post($post, $OP); if($post['has_file'] && $post['zip']) { @@ -295,12 +293,7 @@ buildThread(($OP?$id:$post['thread'])); if(!$OP) { - mysql_query( - sprintf("UPDATE `posts_%s` SET `bump` = '%d' WHERE `id` = '%s' AND `thread` IS NULL", - mysql_real_escape_string($board['uri']), - time(), - $post['thread'] - ), $sql) or error(mysql_error($sql)); + bumpThread($post['thread']); } buildIndex(); @@ -318,8 +311,8 @@ sql_open(); // Build all boards - $boards_res = mysql_query('SELECT * FROM `boards`', $sql) or error(mysql_error($sql)); - while($_board = mysql_fetch_array($boards_res)) { + $boards = listBoards(); + foreach($boards as &$_board) { setupBoard($_board); buildIndex(); }